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and I was like, in that two seconds,
realized my wife was going to kill me.
Back to the conference.
So many server-to-server apps
authenticate over 1433
because it's safe, right?
So if you've got your server on your intranet
and you've got another server somewhere else,
they're going to do server-to-server communication.
They're going to do some opening queries.
You're going to authenticate that traffic
and open up 1433.
That's crazy.
So here's the deal.
dbnetlib now directly supports
integrated authentication over 1433.
You can send out your NTLM credentials
over 1433 now.
I mean, you need to understand
what we're saying here.
We're just getting to the point
that people realize to block out 139.445
so as it's done.
We're just getting there.
Now, all of a sudden,
we open up the possibility
of a high port
that has actual business use
can now support this.
So that in of itself
isn't necessarily a big deal.
The problem, as we already said,
is 1433 outbound
is typically free to pass.
In fact, I've seen a lot of router configurations
where established traffic,
no matter what it is,
is free to pass,
but then they'll block it
if it is 139.445, right?
You have your denies,
which is also kind of nuts.
So let's just kind of look at what happens here.
A client-side ODBC connection string,
by its nature,
gives the developer the opportunity
to set the server, authentication type,
and library, right?
Connection string server equals this.
Trusted security equals this.
Network library equals this.
So as a developer,
I can set that stuff up.
Well, a website can put a client-side script
or HTML email
that opens up record sets
or ActiveX objects,
things of that nature.
The problem is,
if it's my website,
I'm the one who decides
what goes in that connection string.
So here's a lame example.
In my script,
I do a new ActiveX object.
I mean, and people have ActiveX scripting
sometimes turned off.
Not everyone, but you should.
That's why it's lame.
So we say connection string provider,
SQL, ODBE, integrate security, persist security,
info false, initial catalog, blah, blah, blah.
You give the data source,
and right here, you specify dbnetlib.
So when you go and execute this site
or execute this page and this object is instantiated,
I'm specifically designating dbnetlib
and integrated security.
So what's going to happen is your client
is going to deliver its NTLM credentials
right to my box over port 1433.
It's crazy.
All right, so let's see if I can make this happen
in real life here.
Okay.
As I said, I had to redo my whole configuration,
and I was all stressed that something was not
going to work right, Litchfield and all.
And it was in a big hurry.
I actually had to fly home.
Yes, last night, Vegas to Reno was my flight.
Now, close your eyes and imagine the people on that plane.
I would like a ticket from bad to worse, please.
I'm here all week.
Okay, so now I need to go into VMware.
I normally have these guys powered up and ready to go.
Oh, and I have some cool VMware stuff to give away,
so I'll ask some stupid question
or the best insult somebody can give me,
and you'll get a hat and a shirt.
Well, but not right now.
So I'm going to power this guy on.
VMware is actually kind of cool.
It allows you to instantiate.
Well, that's just my CD-ROM.
That wasn't VMware's problem.
That's my problem.
It allows you to instantiate your own little boxes
on your inside of your other active window,
network connections, everything.
So I'm actually starting a Windows 2000 session in here.
He's going to be my client.
All right.
And my active session is my evil server.
Sure.
Was that a question or a stretch?
Okay.
And I'm restarting it because the last time that I did it,
this guy only has 256 mega RAM.
I tried to get somebody to let me borrow their box,
but nobody trusts me for some strange reason.
I mean, even Buddy's like, oh, fear.
I'm like, let me hold your box.
Hell no.
Okay.
Give me just a second.
See, this is where pictures of my wife would come in handy, right?
Hey, hey.
Yeah.
The guy with the V8.
The VMware hat is the one who said that.
Exactly.
What?
Oh, he said, he asked if I wanted some pictures of my wife.
As if he had them.
Just in case you weren't with me there.
I do that every time.
Okay.
Don't look.
I don't trust any of you people.
Okay.
Boy, it would be nice if this works.
Otherwise, you'll just have to trust me.
Who trusts me?
Okay.
Everybody else, I guess, can just go.
Okay.
I'm going to give this session a minute to get its act together.
He lives in a real small window on this box, so, and it's kind of hard to see.
But what it says where the little hand is is, buy crap.
So, I'm just kind of walking somebody through.
And this really isn't on my site.
Just come to my site.
I won't grab your credentials.
Okay.
So, I've got my little ADO DB example here.
Let me get my PowerPoint slide up here.
Hello.
Come back to me.
Okay.
So, I already had the code on that guy.
So, you saw that.
Okay.
So, I'm going to get my sniffer going here.
And I did this in Black Hat.
I actually showed people this the first time.
I showed anybody this for the first time.
I'm still getting my English down.
At Black Hat.
And a couple of people asked if I have like a full-blown exploit and kind of why I'm using Network Monitor to show you this.
Well.
That's not my...
My gig's not to write a bunch of exploit code.
I want to illustrate that stuff can be done.
I'll give you proof of concept.
My real reason for sharing all this is so you people can protect yourselves.
Not so you can go out there and hack everybody up.
Right?
I have to say that.
The Fed is here.
Yeah.
Okay.
One second there.
One second.
Okay.
All right, so I'm going to start a little network capture.
Now, this is an ADODB example.
So we all know that this is kind of lame.
Because you don't have scripting turned on typically.
But this is what bothers me.
This page is accessing a data source from another domain.
Do you want to allow this?
That doesn't tell us anything.
We want to access data in another domain.
That's why we're doing this.
So, it'd be very easy for anyone to assume that yes is right.
It's also the default.
So when you hit enter, it's going to, what's going to happen now is when I hit enter, it's
going to instantiate that ADODB connection object.
And if I wanted to engineer around it, I could say, you know, security settings may require
you to validate blah, blah, blah.
So I'm going to say yes.
Okay.
If it times out, we'll know we're hosed.
But I can work around that.
I think it's going to time out again.
Yep.
It timed out.
But that's okay.
I can still illustrate my point right here.
I'm going to go down my network monitor a little bit here.
Okay.
Where was it?
Maybe it was up here.
So this is where, and I don't know how easy it is for you guys to see, but thankfully
it's kind of highlighted in black.
You'll see the destination port is 1433.
Now.
I'm the server in this case.
So what's happening is my client chose a high port over 1026 destined for 1433.
In many cases, this call would have gone right out of your firewall, right?
I mean, who's blocking outbound 1433 at the egress?
Not a lot of people are.
So the thing to realize here, and I'll show you where it makes the call for the SQL server,
if I don't fall over on those steps.
And that's it.
That's it coming back.
The source is now 1433 from mine going back down to that guy.
Now, if my SQL server service and my active client was really listening, they even went
home and tested it again, but it's kind of hit and miss with my VMware.
You would have missed it.
actually see the NTLM SSP being referenced here. The domain and username are actually
passed in clear text here. It's not even base 64. You'd see that going down there and then
I get my hash right in this data stream here. Who's familiar with Dildog's exploit on the
Telnet server deal with the NTLM hash being passed out? Right. If you want to get a good
breakdown on what the actual packet construction is, then go to the AtStake website. I've got a
copy of it in my bag as well if anybody wants the URL. And they give you the entire package
structure so you can see. A little anticlimactic without being able to see the hash because my
uh...
My box messed up on me. But like I said, this page is accessing a data source. There's another
one that's kind of bad. And I don't want to linger too much on the client side. Really what you need
to know is that your credentials can now be blown out of 1433. That's what I really want to focus
on here. But here's a couple of neat ones. Part of the installation
of those client side tools is a couple of new ActiveX controls that are safe for scripting
by default. And that's a bad thing. One of them is this SQL namespace ActiveX control.
And this is all client side stuff. What that guy's designed to do is to interrogate a SQL
server and get a list of all the objects. Kind of like if you wanted to build your own
enterprise manager, your own code, you could
this ActiveX control to do that. Well, the problem here is that it's completely silent.
I could go to, let's talk about that for a second. How do we acquire a target for this
kind of stuff? SQL 2000 news groups. You can go to one SQL 2000 news group and in a day
probably get 250 email addresses of people posting questions that you know have the client
loaded. Send them an email. Put this guy in here. Set your server. Snip their traffic and you get
all their credentials. You could use that to, if you wanted to do like an SMB relay on the guys,
you could do that. You could take it offline and crack it. It's in LM hash, right? So it's not like
it's going to crack in two seconds, but you could crack it in three months. So if I
got several of your administrators, and that's the other thing. Your database administrators
are typically administrators on that box. If not domain administrators, right? There's
some value to getting those credentials. If I crack them offline, not only do I have your
own credentials, I know I have credentials to your SQL server. There's a lot of neat
stuff that you can do. So let's take a look at this guy.
What am I doing? My brain locked up for a moment. Okay. No, I don't want to debug.
So I'm going to go back here. Underneath here, where I have clicked the spinning head
of Hermod, I feel, well, it might not time out. It's hit and miss. So I'm just going
to start my trace again.
Just in case. Next time I'll bring a couple of laptops, just so I don't have to mess
around with all of this. Okay. So I'm doing it. When I click on that guy, since that
object is marked safe for scripting, and I will say, there is a service pack one for SQL
2000.
I brought this up to Microsoft a month or so ago and wanted to make sure that they had
a service pack in the works before I said anything about it, right? I know, full disclosure,
blah, blah, blah. It's my vulnerability. I'll do what I want with it.
So they did come out with a service pack. The problem is that who takes the service
pack for SQL Server and loads it on their clients? Nobody. So it doesn't do anything.
All your clients still have. You notice all it did was it gave me the time out because
the VMware session is not talking to the other guy. But in the same manner, we'll
see how it tries to open up.
No, that's not it. That was doing the web page. You see, ooh, maybe it did it.
Okay.
Okay.
I think it timed out again. But you'll see it's the same thing. The destination port,
139 doesn't even come into play here. The destination port is 1433. You wouldn't
have even known that that happened. I really wish that I had two. Does anybody? No, I
I really wouldn't do anything to your computer.
Do you have the SQL client on that guy? No? If you want to actually, I mean, this is,
okay. Well, I appreciate it. I'd have to load the SQL client on him.
It's there. The only thing that we didn't see is the word NTLM. If anybody's really
interested in seeing that, you're all going to go do this at home anyway, right? So you'll
see, you'll see that the other, the other problems here are a couple of other ActiveX
controls, SQL distribution, and the merge control. And they're all scriptable, right
from IE.
And they're all marked save for scripting. So that's where you can grab the creds
for fun and profit. And then I already did my live demo. And I wonder if I have any,
I was gonna, I wanted to talk about kind of how to stop this. From the ActiveX control
standpoint, there's a couple of things that you can do. I'm a advocate of group policy.
The Windows 2000 Group Policy Manager is really powerful.
In a domain environment, you can set up a group policy
that will automatically go out to all of your servers and workstations,
and you can set options like this for IE and security options.
So you can disable stuff that's marked safe for scripting,
which you probably haven't now, but you might want to do that.
You can set your systems not to ever access data sources in another domain.
That's also a smart thing to do.
However, be careful because, you know, I'm not the brightest crayon in the box,
so there's going to be other people, you know, Georgie Gosinski
and people who really know what they're doing,
who are going to find ways of instantiating objects on your client
that push your credentials out.
And that's what we're going to do about 14.33.
So have a talk with your firewall people, show them if you need to,
and lock down that egress.
Don't let 14.33 go out unless you have to.
In large B2B environments, it might be something that has to be done,
and they'll say, well, all the traffic's encrypted on that channel,
so it doesn't matter, but it does matter because the port's open.
So if they're going to do that, make sure that they lock it down,
and they're going to be able to access it from host to host, right?
If you can, keep people, you know, only let out what you have to let out,
and that's the danger here.
So other than applying the service packs to your workstations,
use strong passwords, use group policy,
there's really not a whole lot we can do about this right now.
And I think once people start
using this guy, it's probably going to spread like a fart in an airplane, you know?
I mean, it's going to be, pardon me, ladies and gentlemen,
if that offended you on that one.
So are there any questions about how this can be used, if it matters,
do you care, blah, blah, blah, anybody?
Yes, sir?
Yeah, I actually, I'll put some more slides, I'll put those HTMLs up,
at Hammer of God right now.
I've been here, so I haven't been able to do it.
But it's the Hammer of God website.
The top one's my real life.
I design business accounting software.
Whoo!
It's actually cool stuff, but it's nowhere near as fun as Hammer of God.
So go to the Hammer of God website.
I've got some other tools up there for enumeration and stuff like that.
Well, I talked about that yesterday.
So these slides will be there.
I've actually gotten some requests to write an exploit for this,
and I don't think I'm going to do that.
It's tempting, but, I mean, I think, you know,
you illustrate it and you tell people to protect themselves,
and then I'll leave it to, you know, RFP to write the exploit.
Yes, sir?
.
Does it work?
Does it work under Windows XP? The ActiveX object does. Now how XP is keeping
it from being instantiated automatically, I don't know. That's what the question was.
Does it work under XP? I'm going to have to say yes, because the DB is not OS specific.
You can load your client side tools on that guy. He's going to open it up and send it
out. Yes, sir?
Can you get the DBNetLib to use Kerberos? Not to my knowledge. I do not know, so I'm
just going to guess. But I'll first state, but I don't know. But my guess is that since
it's NT...
authentication that the only way it's really going to be able to do that is to pass the hash over
because you're really authenticating on the other box so he might acquiesce to a kerberos server get
a token bring it back check it i don't know how that would work i i doubt it but you know what
i'm glad you said that the other thing that you can do is force ntlm version 2 if you can get away
with that not all of your applications depending on how they authenticate cross platform that may
not work who i'd like to know that who is successfully running ntlm v2 exclusively
there you go oh these two guys are or do you have questions yes sir
oh you are okay good job so he's in he's in good shape um yes sir
oh yeah if you want to just engineer your way around it like that absolutely and you can also
call this i mean it's a library you can write code and distribute it it could be a trojan it
could be whatever i mean it's not like we're it's not malware we're not malforming packets we're not
doing anything it's valid traffic it's ntlm traffic over the wire now i mean it's just it's
up to your imagination how you're going to get that
library on their on their box i'm just telling you like right out of the right out of the blue
you've got a pretty juicy target already but absolutely you can you can do any of that stuff yes
sir
the buffer yes like the overflow or something
the function of your quality
uh... that the question is are there any parameters that will cause buffer overflows
i have no idea i'm not a buffer overflow guy
who did i see
there's a girl i met there you are
she's a buffer overflow person i don't know
uh...
litchfield alas david litchfield about that
and i'll i'll post
comments and questions and stuff like that
on the site very possibly
that that you might be able to do that i would think though
you you mean in order to pat
there is one parameter that chip andrew says we can do
i tried it
before i came today and it and it didn't work
but what chip says
is that in that connection string
you can specify port
i am unable to do it
he's saying go to uh... library equals dvd that live comma
now if you can do that
we're all up shit creek
because then
i set my evil server i hate that term
evil server
i set my server up listening to sequel of port fifty three
i set my server up
send out
these emails
or just have a website
that sends out the intel am hash over fifty three now how cool would that be
if anybody can make that work please tell me
now put your name up and all that crap i'm not interested in who did what you
know
i don't i won't say i did it
but i mean that would be
uh... and actually tried it that's the only other parameter i know of
you very well could cause something
to go into user context and
exploit blah blah blah
anyone bueller anyone
yes sir
have to be careful i have to look first you know
uh...
uh...
okay yeah yeah yeah the question was are those parameters that i did in this odbc connection
strain compatible with
your standard odbc driver driver libraries it's collected for writing vb if you're writing
anything and you just
oh yeah that's all it is
it's that string
you can go into your view absolutely just change the network library
and absolutely
well i know everybody's really hot and i'm amazed at it one more question
actually got a lot of time we can all go drink
but
you know
and so i kinda
other than the sequel server crap that the service pack does marks those
activex objects
that's not safe for scripting
but they still exist
it would probably say your securities savings don't allow you to run this or last if you
wanna run an activex due înt Tea id conventa esv gallaudet asia veleие
or you'd get some other type of dialogue.
And so the question was, what does the service pack do?
And it does some stuff for SQL, I don't know,
but it does mark those ActiveX controls as not safe for scripting.
But that's why I'm saying don't get hung up on these ActiveX controls
because who knows what else we can do to instantiate these objects.
If we can call dbnetlib, then the game's over.
That's the point I want to make.
Yes, sir?
You certainly could do a push install.
I'm just saying the reason I said it's just typically people don't do that.
Like when your Exchange Server service pack comes out,
you go over to the Exchange Server and you install it.
But everyone who has client-side stuff, who cares?
They can connect and do everything.
But you absolutely could.
You could use SMS.
You could use group policy.
You could roll out custom installs.
So, yeah, do that for sure.
Well, good.
I like questions.
Yes, ma'am.
I'm not going to tell you what she said.
No, I'm kidding.
She said if she says thank you, can she add the T-shirt?
And I said yes.
I was going to be mysterious, but I didn't want to insult her.
So, if there aren't any more questions,
I'm going to let everybody run back into the air conditioning.
Thanks very much.
I hope this was of some help.
Some value to you.
Thank you.
And have a good rest of the conference.
Woo-hoo!
Woo-hoo!
